Kaspersky finds 26 'FakeWallet' apps on Apple's App Store impersonating MetaMask, Coinbase, Trust Wallet, and Ledger to steal crypto seed phrases

Kaspersky identified 26 malicious iOS apps live on the Apple App Store impersonating major cryptocurrency wallets including MetaMask, Coinbase, Trust Wallet, Ledger, TokenPocket, imToken, Bitpie, and OneKey. The campaign, named FakeWallet and linked to the SparkKitty operation, has been running since fall 2025. The apps used typosquatted names, cloned icons, and stub functionality (games, calculators, task planners) to pass App Store review. Some embed compromised viewDidLoad routines that scan the screen for mnemonic words as the user types and exfiltrate seed phrases via RSA-encrypted payloads. Apple removed 25 of the 26 after disclosure; the developer behind the 26th was terminated.

Check

Audit wallet apps installed on any iOS device that holds crypto credentials - your own and team members' devices used for treasury, payroll, vendor payments, or personal investing.

Affected

iOS users who downloaded any of the 26 FakeWallet apps between fall 2025 and the April 2026 takedowns, particularly those with Apple account region set to China. Anyone who entered a seed phrase must assume their wallet is compromised. Cold wallet users are not exempt - some variants embedded into companion apps.

Fix

Review every App Store download under any region, particularly wallet or crypto apps. Cross-check developer names against official wallet websites (MetaMask is ConsenSys, Trust Wallet is DApps Platform Inc., Ledger is Ledger SAS). Any wallet app that asks for your seed phrase is a thief. If exposed, transfer assets to a fresh wallet on known-clean hardware and treat the old seed as burned.